Release: Merge back 2.46.4 into dev from: master-into-dev/2.46.4-2.47.0-dev #12517
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
….47.0-dev Release: Merge back 2.46.3 into bugfix from: master-into-bugfix/2.46.3-2.47.0-dev
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
Co-authored-by: Amine <amine@galeax.com>
* Fix AnchoreCTL Policies parser to support new format with evaluations array This commit updates the AnchoreCTL Policies parser to support both the legacy and new format reports generated by the AnchoreCTL tool. Changes: - Added detection for the new format which has an object with evaluations array instead of a root-level list - Implemented conversion logic to transform the new format into a compatible structure for parsing - Improved error handling with more descriptive messages - Made field extraction more robust with proper fallbacks between formats The parser now successfully processes both: - Legacy format (list at root level) - New format from anchorectl policy evaluate -o json (object with evaluations array) * Added tests for the new format to verify correct parsing * Fixed linter errors * Update AnchoreCTL Policies Report documentation for clarity and format support * Removed unnecessary text from anchorectl_policies
* legacy reimport: match title case insensitive * update reimporter
* ms defender: do not cache parsed findings * update other parsers class variables
* unique_id_from_tool_remark * unique_id_from_tool_remark * unique_id_from_tool_remark * add migration for textual changes
…12391) * fix: add CVSSv4 support to auditjs parser and improve error handling * fix: add CVSSv4 support to auditjs parser and improve error handling * lint: fix exception style, add CVSS4.0 vector to description * tests: Add tests for CVSS V2 and V4 vectors and update scan examples * docs: Correct comment text * temp: add local parse_cvss_from_text until upstream PR is merged * docs: fix docstring formatting to comply with D413 * Update dojo/tools/auditjs/parser.py * Update dojo/tools/auditjs/parser.py --------- Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
* Update Support Messaging * Revert CSS change * Update wording * Silly type :face_palm:
Release: Merge release into master from: release/2.46.4
github-actions
bot
added
docker
New Migration
🔴 Risk threshold exceeded.This pull request contains multiple sensitive file edits across various components of the Dojo application, including models, templates, and utility files, with additional potential security risks such as information exposure through URLs, flexible parsing mechanisms, and logging vulnerabilities that could aid in reconnaissance or compromise system integrity.
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templates/dojo/product_metrics.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in docker/entrypoint-initializer.sh
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/announcement/signals.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/context_processors.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/db_migrations/0229_alter_finding_unique_id_from_tool.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/tasks.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templates/base.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templates/dojo/product_metrics.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templates/dojo/support.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templatetags/display_tags.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/context_processors.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templates/base.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
💭 Unconfirmed Findings (12)
| Vulnerability | Potential Phishing/Social Engineering Risk |
|---|---|
| Description | External onboarding link in docker/entrypoint-initializer.sh could be exploited for social engineering if an attacker gains control of the deployment |
| Vulnerability | Potential Tag Injection Risk |
|---|---|
| Description | Tag format changes in docs/content/en/changelog/changelog.md could cause data transformation problems during migration |
| Vulnerability | Potential Information Leakage in Deduplication Configuration |
|---|---|
| Description | Risk of using dynamically generated identifiers for deduplication in docs/content/en/open_source/contributing/how-to-write-a-parser.md |
| Vulnerability | Hardcoded External URL Exposure |
|---|---|
| Description | Internal cloud onboarding URL revealed in dojo/templates/base.html that could provide infrastructure insights |
| Vulnerability | Potential Information Exposure via URL |
|---|---|
| Description | Internal/staging cloud URL exposed in dojo/templates/dojo/support.html that could aid reconnaissance |
| Vulnerability | Potential Information Disclosure through Predictable Vulnerability URL Generation |
|---|---|
| Description | URL generation mechanism in dojo/templatetags/display_tags.py could expose sensitive information |
| Vulnerability | Potential Information Exposure through Flexible Parsing |
|---|---|
| Description | Flexible JSON parsing in dojo/tools/anchorectl_policies/parser.py might allow processing of partially malformed inputs |
| Vulnerability | Logging of Parsing Errors without Strict Validation |
|---|---|
| Description | Potential masking of serious parsing issues in dojo/tools/anchorectl_policies/parser.py could lead to incomplete or incorrect security findings |
| Vulnerability | Potential Parsing Errors with CVSS Vectors |
|---|---|
| Description | Expanded attack surface for CVSS vector parsing with complex regex in dojo/tools/auditjs/parser.py |
| Vulnerability | Potential State Management Vulnerability |
|---|---|
| Description | Changes in data passing in dojo/tools/fortify/fpr_parser.py could introduce state management issues |
| Vulnerability | Potential Logging Information Disclosure |
|---|---|
| Description | Logging statements in dojo/tools/ms_defender/parser.py might expose internal file structure |
| Vulnerability | Case-Sensitive Finding Title Matching Removed |
|---|---|
| Description | Case-insensitive matching in dojo/utils.py could unintentionally merge or identify distinct findings |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops